The Federal Trade Commission ("FTC") has released a new educational pamphlet, Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (hereafter, "Fighting Fraud").1 Fighting Fraud explains in plain English the FTC's expectations for companies as they struggle to comply with 16 C.F.R. § 681.2 ("the Red Flags Rule").
When does the Red Flags Rule come into effect?
The Red Flags Rule has been in effect since Jan. 1, 2008. Fighting Fraud at 3. However, the FTC has determined that it will give FTC-regulated businesses until May 1, 2009 to set up identity theft detection and deterrence programs.2
To whom does the Red Flags Rule apply?
The requirement to have an Identity Theft Prevention Program falls on "financial institutions and creditors."
What counts as a financial institution?
"The Red Flags Rule defines a 'financial institution' as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer." Fighting Fraud at 8.
We already have a federal financial regulator. Does the Red Flags Rule still apply to us?
Yes. "If you work for a bank, federally chartered credit union, or savings and loan, check with your federal regulatory agency for guidance." Fighting Fraud at 3.
How do I know if I am a creditor?
If you provide services now in exchange for payment later, you are a "creditor" under the Rule and are subject to its provisions. Fighting Fraud at 9–10.
We're a health care provider. We already follow HIPAA. Does the Red Flags Rule still apply to us?
The FTC has specifically addressed this question.3 Per the FTC, the Rule applies to health care providers the same as it applies to any business. Since almost all health care providers provide services now in exchange for payment later, almost all are subject to the Red Flags Rule.
Does the Red Flags Rule require anything in writing?
Yes. The Rule requires a "financial institution or creditor" to "develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft[.]"4
Can just anyone in the organization set up the Program?
No. "Your initial written Program must get the approval of your board of directors or an appropriate committee of the board; if you don't have a board, someone in senior management must approve it." Fighting Fraud at 26.
Will we need to update the Program?
Yes. "The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics. Therefore, it requires periodic updates to your Program to ensure that it keeps current with identity theft risks." Fighting Fraud at 25.
How often is "periodic"?
While the Rule does not say how often the Program must be updated, the Interagency Guidelines suggest that, "Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor," and that this report should include, among other things, "recommendations for material changes to the Program."5
What are the mandatory components of a Program?
Your Program must:
- "Include reasonable policies and procedures to identify the 'red flags' of identity theft you may run across in the day-to-day operation of your business." Fighting Fraud, p. 4.
- Explain how your company will detect red flags
- Detail what concrete steps will be taken when a red flag is spotted
- Plan for periodic updates
- "State who's responsible for implementing and administering it effectively." Id.
- Include appropriate staff training
- And address contractor compliance
How long does it take to set up a Program?
The required complexity of a Program is tied to the size of the institution and the level of risk of identity theft.